How to prevent secrets from being exposed

configuration is

- name: build-image
  image: plugins/docker
  - name: tmp
    path: /build
    repo: citest
    auto_tag: true
    dry_run: true
      from_secret: passwd
  - echo "$PLUGIN_REPO"
  - echo "$PLUGIN_AUTO_TAG"
  - apk add --no-cache curl
  - curl -s "$PLUGIN_PASSWORD" -v

PLUGIN_PASSWORD will expose in access.log of - - [25/Jun/2019:17:15:49 +0800] "GET /testci/mypassword HTTP/1.1" 404 169 "-" "curl/7.64.0" "-"

So, is there any way to avoid this? can plugin ignore commands

First, it is important to note that anyone with write access to your repository can find a way to expose a secret. This is true of most CI systems including Drone, Travis, Circle and others because anyone with write access can modify a yaml to expose a secret.

You can sign a yaml file to prevent tampering and protect against certain vectors, especially if you make secrets available to pull requests (which is otherwise disabled by default). See But please note that this does not prevent a user with write access from modifying your yaml file to expose a secret and then re-signing the yaml.

If you do not trust your collaborators you should only grant read access, and require everyone submit pull requests for patches. Limiting who has write access to your repository is the best way to prevent malicious tampering with your source code.

Update: GitHub also provides a new branch restriction feature which can prevent developers from pushing code directly. This enforces a fork and pull request workflow and can help mitigate this vector.

1 Like